← Back to blog

Revisiting Browser Security & Extensions

A few thoughts on browser security and recent history

(02.10.18) UPDATE: Google has set new rules for extensions and their permission, as well as for the Chrome Web Store. This is very good news. Link is here.

Lately there has been a reoccuring discussion about browser extensions by many in the field. I thought this would be a fitting time to revisit how we think about browser security and share some recent events to show how flawed this system still is. A while ago I wrote another blog post about browser security where I demonstrated an attack vector and that one should be careful about which extensions you should install (if you haven’t click here).

Now, browser extensions being potentially harmful is nothing new to us but we have a chance to potentially educate other people about browser security once again, which is the least we could do. When I published the above mentioned blog post, I got a bit of backlash on mediums like Reddit (what a surprise!), which was weird to see either way because you can literally see real world examples that happend days ago — impacting the end user. I was getting comments such as: “If I have this browser extension it can do anything anyway”. Well, I thought, that statement is completely true, but my intend was to show what extensions could potentially do in a harmful way. I also got: “No one would just install a random extension and it’s strictly monitored in the store”. That’s outright false. There are a lot of big browser extensions that are harvesting user activity data used for analytics and later sold to advertising companies. In fact, many users don’t actually realize that they’re either being tracked or that a harmful extension is doing malicious things. The amount of people who can actually identify such extensions is very small. Your granny wouldn’t be possibly able to know it unless some work is being put into examining extensions. And even then — sources show that some professionals are still subject to such attacks or tracking in general (see this excellent talk about browsers and extensions from CCC: https://www.youtube.com/watch?v=K36fe7txXhQ (sorry it’s German)). But then again, you can’t blame them for just that, it’s a difficult topic. This could have multiple reasons, one example just recently is that extension vendors get their credentials compromised and extensions being pushed out and distributed, where prior to that the user gave consent/permission to that extension, but later it being replaced by a harmful one (see the case of MEGA: https://serhack.me/articles/mega-chrome-extension-hacked). In the MEGA case the credentials for their Chrome Web Store got compromised. This led to it getting distributed and generally seen as legitimate until a security researcher noticed something was off. The problem was that the Chrome Web Store is generally only protected by simple account credentials and not additionally by a signed binary by the developer itself. It isn’t clear who to blame here, both sides could improve in different regards. But, vendors show cases where they are careless (see the case of Keybase: https://palant.de/2018/09/06/keybase-our-browser-extension-subverts-our-encryption-but-why-should-we-care).

The sad truth is, there is no good solution to this problem at the moment. The ones who offer distribution platforms for browser extensions, these are Google, Mozilla and the like are very slow or not properly reviewing extensions for their real intend and or what they say they are. Recently though, Apple took action to take down applications that tracked users. Apple’s stance on privacy is refreshing — in a world where we’re supposed to be the product.

A discussion about granular permission a browser extensions could have is a whole nother topic in of itself. There are a lot of big browser extension vendors who don’t actually specify what they want permission to, and it’s completely ok because some have to be present across different tabs, but there are a lot who just abuse the browser extension API’s and request access to either everything via ‘all_urls’ or don’t use proper match patterns (see documentation here).

Again, the sad thing is they’re completely allowed to do that. No one is checking when ‘Nelly’s Pet Shop Extension’ wants access to the page with your banking information (you only get asked once upon install and then it has always access to it). There should be more specific and granular permission prompts for end users so they can clearly understand what the extension wants to do.

I’d honestly like a good discussion about this than on mediums like Reddit or Twitter, but that’s all we got. Please, if you’d like to talk about this topic — send me an email or DM me on Twitter. I’m open for constructive criticism aswell.